(Getty Images)
Previous articles in this series have outlined why HTTPS is important for both consumers and businesses. So how does HTTPS actually work to protect consumer data?
A bit of a history lesson
In the early days of the Internet, data was transferred through HyperText Transfer Protocol, also known as HTTP. This was not secure because it transmitted information in “plain text,” or unencrypted text that was easy to read and intercept. HyperText Transfer Protocol Secured, or HTTPS, was engineered to protect sensitive data as it moves across the web.
HTTPS was created by joining HTTP with something called Secured Socket Layer technology, also known as SSL. A more modern version of this technology is called Transport Layer Security, or TLS, but in essence, they accomplish the same thing: protecting your data as it is in transit.
So how does it work?
When you’re not using your favorite mobile apps to access the Internet, you’re most likely using a web browser, such as Chrome, Firefox, or Microsoft Edge, to visit your favorite web page. The content from that web page is hosted on a server somewhere. Generally speaking, your web browser has to communicate with that server to load the content so you can look at it. To load that content, there has to be a connection over the Internet through your web browser (also known as a client) and the server.
So let’s say you’re looking at your favorite entertainment website on your desktop computer, and this website happens to be secured by HTTPS. You load your web browser, type in the web address for that site, and hit enter. What happens next?
Let’s be friends: the handshake
When you visit a website that is secured by HTTPS, a virtual “handshake” must occur before you are granted access. The client (your web browser) sends a message over to the server explaining how it will encrypt the data that is about to be sent between them. The server responds with its own message, describing its ability to encrypt the data. The client and then server agree on how they can both encrypt the data as they communicate with one another, and the server sends something called a digital certificate. This certificate verifies that the server your web browser is communicating with is who it claims to be and provides a special key to begin the encryption process. Once your web browser receives the certificate, it confirms its legitimacy, and sends its own special key to the server.
After this exchange takes place, the handshake is complete, and both computers agree to start encrypting! Following this, all data sent between the two computers are encrypted with HTTPS. All of this occurs within seconds, enabling you arrive at your favorite website. In the corner of your web browser, you will see a padlock icon, the word “Secure,” the website’s name in green letters, a long green bar, or sometimes a combination of these elements.
You said something about a certificates? Where do I get a certificate?
Good question! Our next piece in the series will explore digital certificates and Certificate Authorities, which are the groups that issue the certificates that are necessary for HTTPS encryption.
The articles in this series on website encryption, created to support National Cybersecurity Awareness Month, can be found at https://www.bbb.org/bbbsecure/. Support for the program was made possible by our Corporate Trust Roundtable partners, Comcast and Facebook.
